[Tcl-bugs] [Tcl] (sebres) tkt (New): Very rare bug (segfault) if set variable (with error case) using self-releasable object as new value

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Tcl-bugs] [Tcl] (sebres) tkt (New): Very rare bug (segfault) if set variable (with error case) using self-releasable object as new value

akupries
Automated mail by fx, on behalf of [hidden email]

Ticket Change [d47de8c7074021b030c1651fec15ff49d76661a6]
  [Very rare bug (segfault) if set variable (with error case) using self-releasable object as new value]
  By      sebres
  For     Tcl
  On      2017-07-12T19:15:40.290
  Details https://core.tcl.tk/tcl/tinfo?name=d47de8c7074021b030c1651fec15ff49d76661a6
  Ticket  https://core.tcl.tk/tcl/tktview/578155d5a19b348dc1a9fe96cc2c067a59326a89

Changed Fields
  assignee:   nobody
  closer:     nobody
  comment:    I found a very rare but very annoying bug (segfault), if variable will
              set for example using Tcl_ObjSetVar2 or similar.<br/>  In result it
              belongs to very old check-in
              [510663a99e3a096bb7bab7314eb59fc805335318] from 2005.<br/>  I had this
              bug sometimes very-very sporadically, so I executed one of my
              tcl-service under debugger until it not occurred again.

              <h2>PoC:</h2>  <ul>  <li> somewhat will set var varName to newValue
              with `Tcl_ObjSetVar2`, `Tcl_SetVar2Ex` or similar (e. g. with flag
              TCL_LEAVE_ERR_MSG);</li>  <li> thereby this object (newValue) was
              <b>only once referenced</b> (somewhere in interpreter state, e. g.
              something in sub-list or sub-dictionary of interp-result, etc.).
              Emphasis on "only once", so newValue->refCount is 1.</li>  <li> the
              set produces an interim error (for example something going wrong by
              the resolving of the varname, or in trace, etc)</li>  <li> by the
              following throwing of the error-state to interp (result, errorInfo,
              errorCode) this will automatically decrease old object of
              interp-state, which can also remove all children</li>  <li> thus the
              <b>newValue->refCount will be implicit decreased to 0</b>, and object
              newValue will be released.</li>  <li> the problem is then the code
              like here - <a
              href="http://core.tcl.tk/tcl/artifact/3293a2dbff528bd4?ln=1458">artifa
              ct/3293a2dbff528bd4?ln=1458</a> or <a
              href="http://core.tcl.tk/tcl/artifact/3293a2dbff528bd4?ln=1517">artifa
              ct/3293a2dbff528bd4?ln=1517</a>, because it tries to access already
              released object newValue (that does not exists anymore!) and decrease
              its reference again and then tries to release it again!</li>  </ul>

              Why I think, that is a bug?

              Because only the caller of `Tcl_ObjSetVar2` really know that the
              reference of this object should be decremented or not. And because
              explicit decreasing inside `Tcl_ObjSetVar2` is very unexpected
              behavior, IMHO (because rather increased or unmodified).<br/>
              Otherwise the call of `Tcl_ObjSetVar2`, `Tcl_SetVar2Ex` or similar
              should <b>always</b> look like this:  <code><pre>
              Tcl_IncrRefCou
              ...((truncated))
  foundin:    >= 8.5
  is_private: 0
  login:      sebres
  priority:   5 Medium
  resolution: None
  severity:   Critical
  status:     Open
  submitter:  sebres
  subsystem:  07. Variables
  title:      Very rare bug (segfault) if set variable (with error case) using
              self-releasable object as new value
  type:       Bug

------------------------------------------------------------
See Tcl/Tk development @ http://core.tcl.tk/
------------------------------------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Tcl-Bugs mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tcl-bugs
Loading...